A San Antonio police report said the tapes containing the sensitive information, including diagnoses and treatment information on beneficiaries in the Defense Department's Tricare program, were left in the car for most of the day.

The worker has been placed on administrative leave, but SAIC would not say if he was being paid.

“It was his job to transfer the tapes in an expeditious manner between facilities, and that's all we're going to say at this point,” SAIC spokesman Vernon Guidry said.

Police said the car was parked at 300 Convent from 7:53 a.m. to 4:30 p.m. Sept. 13. A stereo system valued at $300 and a GPS device were stolen from the worker's 2003 Honda Civic, along with the backup tapes. The worker valued the data tapes at $100.

Tricare had little to say about the incident, but Guidry said the tapes were being moved from one federal facility in San Antonio to another, “pursuant to contract requirements,” when they vanished.

They were being relocated in hopes of finding a way to encrypt the data so the tapes could work with an operating system, Guidry said. The system used to back up information on the tapes could not encrypt data to federal standards.

Guidry didn't say if the worker violated a company rule in leaving the tapes in his car, but conceded “if they weren't in the car, they wouldn't be stolen.” But he said there was no evidence so far that “the data has been accessed by unauthorized persons.”

SAIC, an $11 billion contractor that works extensively for the Pentagon and other federal agencies, has had data breaches in the past. In 2007, the Washington Post reported some workers sent unencrypted health data over the Internet.

Stan Stahl, co-founder of a Los Angeles company specializing in information security, described SAIC as a large firm with high standards, and couldn't explain the latest incident.

“How does it happen? ... At one level, the answer's totally carelessness, obviously,” Stahl said.

The tapes stolen in San Antonio contained information ranging from Social Security numbers and patient addresses to such health information as lab tests done in San Antonio for patients in Tricare's 10-state southern region. They did not include credit card or bank account information.

The Army Medical Command said Thursday it had notified its beneficiaries how to take measures to protect themselves after learning of the incident, but it did not comment further, referring the matter to Tricare.

A Tricare spokesman, Austin Camacho, did not say if there were security procedures guiding the storage and handling of such tapes. He also did not comment on what would be done to prevent a similar breach, and said any action would “depend on the results of the investigation when we have determined the degree of risk.”

Stahl, president of Citadel Information Group, said the one sure solution would be to treat sensitive records with greater care.

“Let's take a medical facility. They've got a heart that needs to be transplanted into a patent and they give it to somebody to take from Point A to Point B. Is that person going to stop for eight hours along the way?” he said.

“If you're looking at personal information, private information about people — separate from the laws — I go back to the basic morality of this. We have laws, but that's only a piece of it. You've got a responsibility to those people.”

San Antonio Express-News reporter Michelle Mondo contributed to this report.